343153 – kio_sftp crashes if sftp_write(...) fails (double-free in sftpProtocol::sftpPut)

Bug 343153 - kio_sftp crashes if sftp_write(...) fails (double-free in sftpProtocol::sftpPut)

Summary: kio_sftp crashes if sftp_write(...) fails (double-free in sftpProtocol::sftpPut)

Status:	RESOLVED FIXED

Alias:	None

Product:	kio-extras
Classification:	Frameworks and Libraries
Component:	default (show other bugs)
Version:	unspecified
Platform:	Other Linux

Importance:	NOR crash
Target Milestone:	---
Assignee:	Plasma Development Mailing List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2015-01-22 13:04 UTC by Kevin Funk
Modified:	2015-01-22 16:14 UTC (History)
CC List:	1 user (show)

See Also:
Latest Commit:	http://commits.kde.org/kio-extras/0a26e67f93462015bc680aeb2b77bd9f5cfaf2ad
Version Fixed In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Kevin Funk 2015-01-22 13:04:36 UTC

Situation: Disk on remote server is full. In that case, when saving the file, sftp_write inside kio_sftp.cpp will fail. This leads to a crash later on.

Error in `kio_sftp.so [kdeinit5] sftp local:/run/user/1000/klauncherXM8394.1.slave-socket local:/run/user/1000/katewZ9343.3.slave-socket': free(): invalid pointer: 0x0000000000a54770 ***

Tested with Kate 5.x when working on a file opened via sftp protocol.

Valgrind report:
(...)
==10659== Invalid read of size 8
==10659==    at 0xF79E62E: sftp_attributes_free (sftp.c:1542)
==10659==    by 0xF56807B: sftpProtocol::sftpPut(KUrl const&, int, QFlags<KIO::JobFlag>, int&, int) (in /usr/lib/x86_64-linux-gnu/qt5/plugins/kio_sftp.so)
==10659==    by 0xF568DE3: sftpProtocol::sftpCopyPut(KUrl const&, QString const&, int, QFlags<KIO::JobFlag>, int&) (in /usr/lib/x86_64-linux-gnu/qt5/plugins/kio_sftp.so)
==10659==    by 0xF5692B7: sftpProtocol::copy(QUrl const&, QUrl const&, int, QFlags<KIO::JobFlag>) (in /usr/lib/x86_64-linux-gnu/qt5/plugins/kio_sftp.so)
==10659==    by 0x4EBDA08: KIO::SlaveBase::dispatch(int, QByteArray const&) (in /usr/lib/x86_64-linux-gnu/libKF5KIOCore.so.5.3.0)
==10659==    by 0x4EB7BBD: KIO::SlaveBase::dispatchLoop() (in /usr/lib/x86_64-linux-gnu/libKF5KIOCore.so.5.3.0)
==10659==    by 0xF5646C3: kdemain (in /usr/lib/x86_64-linux-gnu/qt5/plugins/kio_sftp.so)
==10659==    by 0x4016B7: main (in /usr/lib/x86_64-linux-gnu/libexec/kf5/kioslave)
==10659==  Address 0x17f8f188 is 40 bytes inside a block of size 144 free'd
==10659==    at 0x4C2C2E0: operator delete(void*) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==10659==    by 0xF568073: sftpProtocol::sftpPut(KUrl const&, int, QFlags<KIO::JobFlag>, int&, int) (in /usr/lib/x86_64-linux-gnu/qt5/plugins/kio_sftp.so)
==10659==    by 0xF568DE3: sftpProtocol::sftpCopyPut(KUrl const&, QString const&, int, QFlags<KIO::JobFlag>, int&) (in /usr/lib/x86_64-linux-gnu/qt5/plugins/kio_sftp.so)
==10659==    by 0xF5692B7: sftpProtocol::copy(QUrl const&, QUrl const&, int, QFlags<KIO::JobFlag>) (in /usr/lib/x86_64-linux-gnu/qt5/plugins/kio_sftp.so)
==10659==    by 0x4EBDA08: KIO::SlaveBase::dispatch(int, QByteArray const&) (in /usr/lib/x86_64-linux-gnu/libKF5KIOCore.so.5.3.0)
==10659==    by 0x4EB7BBD: KIO::SlaveBase::dispatchLoop() (in /usr/lib/x86_64-linux-gnu/libKF5KIOCore.so.5.3.0)
==10659==    by 0xF5646C3: kdemain (in /usr/lib/x86_64-linux-gnu/qt5/plugins/kio_sftp.so)
==10659==    by 0x4016B7: main (in /usr/lib/x86_64-linux-gnu/libexec/kf5/kioslave)
==10659== 
==10659== Invalid free() / delete / delete[] / realloc()
==10659==    at 0x4C2BE10: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==10659==    by 0xF56807B: sftpProtocol::sftpPut(KUrl const&, int, QFlags<KIO::JobFlag>, int&, int) (in /usr/lib/x86_64-linux-gnu/qt5/plugins/kio_sftp.so)
==10659==    by 0xF568DE3: sftpProtocol::sftpCopyPut(KUrl const&, QString const&, int, QFlags<KIO::JobFlag>, int&) (in /usr/lib/x86_64-linux-gnu/qt5/plugins/kio_sftp.so)
==10659==    by 0xF5692B7: sftpProtocol::copy(QUrl const&, QUrl const&, int, QFlags<KIO::JobFlag>) (in /usr/lib/x86_64-linux-gnu/qt5/plugins/kio_sftp.so)
==10659==    by 0x4EBDA08: KIO::SlaveBase::dispatch(int, QByteArray const&) (in /usr/lib/x86_64-linux-gnu/libKF5KIOCore.so.5.3.0)
==10659==    by 0x4EB7BBD: KIO::SlaveBase::dispatchLoop() (in /usr/lib/x86_64-linux-gnu/libKF5KIOCore.so.5.3.0)
==10659==    by 0xF5646C3: kdemain (in /usr/lib/x86_64-linux-gnu/qt5/plugins/kio_sftp.so)
==10659==    by 0x4016B7: main (in /usr/lib/x86_64-linux-gnu/libexec/kf5/kioslave)
==10659==  Address 0x17f8f160 is 0 bytes inside a block of size 144 free'd
==10659==    at 0x4C2C2E0: operator delete(void*) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==10659==    by 0xF568073: sftpProtocol::sftpPut(KUrl const&, int, QFlags<KIO::JobFlag>, int&, int) (in /usr/lib/x86_64-linux-gnu/qt5/plugins/kio_sftp.so)
==10659==    by 0xF568DE3: sftpProtocol::sftpCopyPut(KUrl const&, QString const&, int, QFlags<KIO::JobFlag>, int&) (in /usr/lib/x86_64-linux-gnu/qt5/plugins/kio_sftp.so)
==10659==    by 0xF5692B7: sftpProtocol::copy(QUrl const&, QUrl const&, int, QFlags<KIO::JobFlag>) (in /usr/lib/x86_64-linux-gnu/qt5/plugins/kio_sftp.so)
==10659==    by 0x4EBDA08: KIO::SlaveBase::dispatch(int, QByteArray const&) (in /usr/lib/x86_64-linux-gnu/libKF5KIOCore.so.5.3.0)
==10659==    by 0x4EB7BBD: KIO::SlaveBase::dispatchLoop() (in /usr/lib/x86_64-linux-gnu/libKF5KIOCore.so.5.3.0)
==10659==    by 0xF5646C3: kdemain (in /usr/lib/x86_64-linux-gnu/qt5/plugins/kio_sftp.so)
==10659==    by 0x4016B7: main (in /usr/lib/x86_64-linux-gnu/libexec/kf5/kioslave)

(Sorry for the missing line numbers, Kubuntu's debug packages are a bit messed up atm)

Reproducible: Always

Steps to Reproduce:
1. Open file via sftp protocol in Kate
2. Try to save
3. kio_sftp crashes

Comment 1 Andreas Schneider 2015-01-22 16:10:57 UTC

Git commit 860ceeaa4346f24daad62f6e9ddcc61b58f7a5db by Andreas Schneider.
Committed on 22/01/2015 at 16:10.
Pushed by anschneider into branch 'master'.

sftp: Fix a double free if file copy fails.

Signed-off-by: Andreas Schneider <asn@cryptomilk.org>

M  +0    -1    kioslave/sftp/kio_sftp.cpp

http://commits.kde.org/kde-runtime/860ceeaa4346f24daad62f6e9ddcc61b58f7a5db

Comment 2 Andreas Schneider 2015-01-22 16:11:26 UTC

Git commit ad1443e4f96162c77fa1582d2e8a57dec545514e by Andreas Schneider.
Committed on 22/01/2015 at 16:10.
Pushed by anschneider into branch 'KDE/4.14'.

sftp: Fix a double free if file copy fails.

Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
(cherry picked from commit 860ceeaa4346f24daad62f6e9ddcc61b58f7a5db)

M  +0    -1    kioslave/sftp/kio_sftp.cpp

http://commits.kde.org/kde-runtime/ad1443e4f96162c77fa1582d2e8a57dec545514e

Comment 3 Andreas Schneider 2015-01-22 16:11:49 UTC

Git commit 7c1477af137a81a41c2bfea300fa45908b2e8bd6 by Andreas Schneider.
Committed on 22/01/2015 at 16:10.
Pushed by anschneider into branch 'Applications/14.12'.

sftp: Fix a double free if file copy fails.

Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
(cherry picked from commit 860ceeaa4346f24daad62f6e9ddcc61b58f7a5db)

M  +0    -1    kioslave/sftp/kio_sftp.cpp

http://commits.kde.org/kde-runtime/7c1477af137a81a41c2bfea300fa45908b2e8bd6

Comment 4 Andreas Schneider 2015-01-22 16:14:10 UTC

Git commit 849b13902495a7e0b202d93aedf8fe627220e914 by Andreas Schneider.
Committed on 22/01/2015 at 16:15.
Pushed by anschneider into branch 'master'.

sftp: Fix a double free if file copy fails.

Signed-off-by: Andreas Schneider <asn@cryptomilk.org>

M  +0    -1    sftp/kio_sftp.cpp

http://commits.kde.org/kio-extras/849b13902495a7e0b202d93aedf8fe627220e914

Comment 5 Andreas Schneider 2015-01-22 16:14:31 UTC

Git commit 0a26e67f93462015bc680aeb2b77bd9f5cfaf2ad by Andreas Schneider.
Committed on 22/01/2015 at 16:15.
Pushed by anschneider into branch 'Plasma/5.2'.

sftp: Fix a double free if file copy fails.

Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
(cherry picked from commit 849b13902495a7e0b202d93aedf8fe627220e914)

M  +0    -1    sftp/kio_sftp.cpp

http://commits.kde.org/kio-extras/0a26e67f93462015bc680aeb2b77bd9f5cfaf2ad